Roundtripping a commit via oci image looses the commitmeta which makes signed ostree break #4973
Comments
|
This is an issue for https://github.com/ostreedev/ostree-rs-ext/ but basically this is currently expected behavior, because we always create a local merge commit. Arguably this is a bug. The vision with the ostree-container stuff is that we start to sign containers, not ostree commits. But, yes. In the end, we can change the logic in https://github.com/ostreedev/ostree-rs-ext/blob/main/lib/src/container/store.rs to not make a merge commit. We were doing that originally, but for derived images today we need to synthesize a local one. (Until we get to ostreedev/ostree-rs-ext#388 ) That said, changing the store code to not make a merge commit by default is probably doable, the main thing would be switching to storing the container metadata (manifest/config) in detached commitmeta or somewhere else. |
Do you want me to move it?
Well, at boot time in the initrd we need to validate something that has the composefs digest. This could be something else, but i'm not sure what is available at boottime? |
Yeah let's, it's unrelated to rpm-ostree.
This is a larger discussion but basically I think actually where we need to get to is actually that the manifest and config at least (and possibly, for a manifest listed image all the manifests) are part of a composefs instead of living externally so they can be runtime trusted easily. |
|
Moved to ostreedev/ostree-rs-ext#630 |
I created an oci image based on an automotive image that used signed composefs, when I rebased to it everything works, but on reboot the signatures fails:
Seems the detached metadata is lost somewhere along the way, which means that the signature is not available in the deployed repo.
The text was updated successfully, but these errors were encountered: